v2.3.6 message delete causes signal 10

Andrew Findlay andrew.findlay at skills-1st.co.uk
Fri Jun 30 14:47:12 EDT 2006 

On Fri, May 26, 2006 at 12:11:05PM -0400, Ken Murchison wrote:

> >Cyrus IMAP v2.3.3 (with sasl v2.1.21) ran fine.  Any ideas?
> 
> Can you get a backtrace from a core dump?

I have a similar problem using 2.3.6 murder on CentOS 4.3 (very like
RHEL 4) on 32-bit x86.

In my case it is the front-end imap proxyd that crashes and the
signal is 11 (SIGSEGV) but the case seems very similar: it happens
when deleting messages and the traceback shows prot_printf() as the
active function.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208183104 (LWP 22222)]
0x0809462c in prot_printf (s=0x8312250, fmt=0x80aa579 " %s ") at prot.c:960
960     prot.c: No such file or directory.
        in prot.c
(gdb) where
#0  0x0809462c in prot_printf (s=0x8312250, fmt=0x80aa579 " %s ") at prot.c:960
#1  0x0805124b in cmd_store (tag=0x83126a8 "a0008", sequence=0x8312788 "8", usinguid=1)
    at imapd.c:4169
#2  0x0805f53b in cmdloop () at imapd.c:1640
#3  0x08060687 in service_main (argc=1, argv=0x8308008, envp=0xbff0b8ac) at imapd.c:789
#4  0x0804c545 in main (argc=1, argv=0xbff0b8a4, envp=0xbff0b8ac) at service.c:532
(gdb) up
#1  0x0805124b in cmd_store (tag=0x83126a8 "a0008", sequence=0x8312788 "8", usinguid=1)
    at imapd.c:4169
4169    imapd.c: No such file or directory.
        in imapd.c
(gdb) print tag
$1 = 0x83126a8 "a0008"
(gdb) print operation
$2 = {s = 0x0, len = 0, alloc = 0}
(gdb) print &operation
$3 = (struct buf *) 0x8135d20
(gdb) print tag
$4 = 0x83126a8 "a0008"
(gdb) print cmd
$5 = 0x80aa558 "UID Store"
(gdb) print sequence
$6 = 0x8312788 "8"
(gdb) print operation
$7 = {s = 0x0, len = 0, alloc = 0}

I think the problem is the last parameter to the prot_printf call:
in cmd_store() the call looks like this:

    if (backend_current) {
        /* remote mailbox */
        prot_printf(backend_current->out, "%s %s %s %s ",
                    tag, cmd, sequence, operation);
        pipe_command(backend_current, 65536);
        return;
    }

'operation' is declared as:

	static struct buf operation, flagname;

but it is not assigned a value before prot_printf() is called so
when prot_printf() tries to do strlen() it gets SEGV.

I am not sure what is intended here, nor am I sure why we are doing
a STORE operation in the first place!

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

More information about the Info-cyrus mailing list